search

dunglas / mercure

🪽 An open, easy, fast, reliable and battery-efficient solution for real-time communications
https://mercure.rocks
GNU Affero General Public License v3.0
3.98k stars 296 forks source link

405 Method not allowed (CORS issue?) #513

Closed martinopic closed 3 years ago

martinopic commented 3 years ago

Hi,

we have installed mercure version 2.3.0 listening to port 3000 and have an application running on HTTPS on the same server/same domain on port 443 using the service.

we are always getting a 405 Method not allowed for all OPTIONS preflight request from the js app to the Mercure server. Tried to configure CORS, both by setting the appropriate headers in caddy conf and adding the specific cors mercure directive but nothing happens.

Strangely enough it seems Content-Security-Policy header cannot be overridden, just removed with the "-" configuration. We receive

Content-Security-Policy default-src 'self'

And were trying to override with

Content-Security-Policy "default-src 'self' https://appomain;"

But mercure just seems to ignore it.

{
  auto_https off
}

:3000 {

  header {

   # Content-Security-Policy "default-src 'self' https://appdomain;"
    Access-Control-Allow-Origin https://appdomain
    #Access-Control-Allow-Methods "GET, OPTIONS, POST, DELETE, PATCH, PUT"
    Access-Control-Allow-Methods *
    Access-Control-Allow-Headers *
    #-Content-Security-Policy

  }

  tls /etc/letsencrypt/live/app/fullchain.pem /etc/letsencrypt/live/app/privkey.pem

  log {
    level debug
  }

  route {

      encode zstd gzip

      mercure {

      publish_origins: https://appdomain
      cors_origins: https://appdomain

          # Transport to use (default to Bolt)
          transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
          # Publisher JWT key
          publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
          # Subscriber JWT key
          subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
          # Extra directives
          {$MERCURE_EXTRA_DIRECTIVES}

      }

      respond /healthz 200

      respond "Not Found" 404

  }

}

This is a typical response we get on preflight OPTIONS response:


`* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 Method Not Allowed
< Access-Control-Allow-Headers: *
< Access-Control-Allow-Methods: *
< Access-Control-Allow-Origin: https://appdomain
< Server: Caddy
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Date: Wed, 05 May 2021 11:58:10 GMT
< Content-Length: 0
`

This does not seem any of the reported CORS issues nor it's clear what it could be or why we can not override the Content-Security-Policy header which we suspect could be the problem.

Thanks for any support

martinopic commented 3 years ago

For anybody having the same problem I could just solve it by configuring Apache web server on the same machine to proxy Mercure.

Having the application willing to use Mercure on "appdomain" (https://appdomain) and Mercure and Apache installed on the same server:

1) Load proxy module on apache:

LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_http2_module /usr/lib/apache2/modules/mod_proxy_http2.so

2) Configure proxy on the application virtual host:

        ProxyPass /hub/ http://localhost:3000/
        ProxyPassReverse /hub/ http://localhost:3000/

3) Configure Mercure to listen on port 3000 (no https):

{ 

 auto_https off

 # Debug mode (disable it in production!)
 {$DEBUG}

 # HTTP/3 support
 servers :3000 {
     protocol {
         experimental_http3
     }
 }

 http_port 3000

}

appdomain:3000

  log {
    level info
  }

  route {

      encode zstd gzip

      mercure {

      publish_origins: https://appdomain/hub
      cors_origins: https://appdomain/hub

          # Transport to use (default to Bolt)
          transport_url bolt:///var/run/mercure.db
          # Publisher JWT key
          publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
          # Subscriber JWT key
          subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
          # Extra directives
          {$MERCURE_EXTRA_DIRECTIVES}

      }

      respond /healthz 200

      respond "Not Found" 404

  }
stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

martinopic commented 3 years ago

I don't think this issue should be closed as it addresses the problem of installing a Mercure hub on the same server where an application is installed I think it could be a pretty common case for small applications.